DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24473: The Infinite Fallback: How Hono Leaked Your Cloudflare KV Keys

#security #cve #cybersecurity

The Infinite Fallback: How Hono Leaked Your Cloudflare KV Keys

Vulnerability ID: CVE-2026-24473
CVSS Score: 6.3
Published: 2026-01-27

A logic flaw in Hono's serve-static middleware for Cloudflare Workers allowed attackers to bypass the asset manifest and read arbitrary keys from the underlying KV storage. It turns out that a convenient fallback mechanism is indistinguishable from a gaping security hole.

TL;DR

Hono's static asset adapter used a logical OR operator (||) to fallback to the raw request path if a file wasn't found in the manifest. This allowed attackers to request any key present in the Cloudflare Workers KV namespace, potentially exposing internal configuration or secrets if they shared the same storage bucket as your cat photos.

Technical Details

  • CWE ID: CWE-200 / CWE-668
  • CVSS v4.0: 6.3 (Medium)
  • Attack Vector: Network
  • Privileges Required: None
  • Impact: Information Disclosure
  • Patch Status: Released (v4.11.7)

Affected Systems

  • Hono Framework (JavaScript)
  • Cloudflare Workers using serve-static middleware
  • Hono: < 4.11.7 (Fixed in: 4.11.7)

Code Analysis

Commit: cf9a78d

fix: serve-static for Cloudflare Workers reads arbitrary key

--- a/src/adapter/cloudflare-workers/utils.ts
+++ b/src/adapter/cloudflare-workers/utils.ts
@@ -36,7 +36,7 @@ export const getContentFromKVAsset = async (
     ASSET_NAMESPACE = __STATIC_CONTENT
   }

-  const key = ASSET_MANIFEST[path] || path
+  const key = ASSET_MANIFEST[path]
   if (!key) {
     return null
   }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: No public exploit code available yet, but trivial to reproduce manually.

Mitigation Strategies

  • Enforce Strict Whitelisting: Ensure that static file servers only serve files explicitly listed in a manifest.
  • Namespace Isolation: Never store sensitive configuration or internal application state in the same KV namespace used for public static assets.
  • Input Validation: Sanitize and validate all path parameters before passing them to storage backends.

Remediation Steps:

  1. Upgrade Hono to version 4.11.7 or higher immediately.
  2. Audit your Cloudflare Workers KV namespaces. If you are mixing secrets and assets, separate them into distinct namespaces.
  3. Review your wrangler.toml configuration to ensure proper namespace bindings.

References

Read the full report for CVE-2026-24473 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)